The January 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Defense-in-depth: Enable Certificate Signing of PowerShell Serialization Payload
Serialization is the process of converting the state of an object into a form (stream of bytes) that can be persisted or transmitted to memory, a database, or a file. PowerShell, for example, uses serialization (and its counterpart deserialization) when passing objects between sessions. To defend Exchange servers against attacks on serialized data we’ve added certificate-based signing of PowerShell serialization payloads in the January 2023 SUs. In the first stage of rollout, this new feature must be manually enabled by an Exchange Server admin due to feature dependencies. This article details the steps to enable certificate-based signing of serialization data in Exchange Server. We have also released a script you can use to validate/create the required auth certificate in your organization or you can do it manually.
The following update paths are available:
Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
Re-run the Health Checker after you install an SU to see if any further actions are needed.
This release unblocks customers who are not able to enable Extended Protection (EP) because they are using a Retention Policy with Retention Tags that perform Move-to-Archive actions. Note: if you worked around this problem using the updated Exchange Server Extended Protection script, you should roll back the applied IP restrictions after installing this SU by following the script documentation.
When should we enable the new certificate signing of PowerShell serialization payload feature? This feature should be enabled only after you have updated all your Exchange Servers to the January 2023 (or newer) SU. Enabling the feature before all servers are updated might lead to failures and errors when managing your organization.
Why do we need to enable the new certificate signing manually? Why does Microsoft not enable the feature automatically? Our intention is to enable certificate signing of PowerShell serialization payload by default in a future update. The feature relies on a valid auth certificate being present in the organization, so we wanted to give admins a chance to validate their certificate before enabling a feature that depends on it (certificate issues could lead to unexpected results and errors if the feature was enabled by default.) We have released a script you can use to validate / create this certificate.
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything? Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing the January 2023 SU, you should re-run the Hybrid Configuration Wizard.
The last SU that we installed is a few months old. Do we need to install all SUs in order, to install the latest one? SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.
Updates to this post:
9/18/2023: Removed the warning about Exchange 2013 servers. The serialization KB article has necessary instructions and we missed removed the warning.
3/9/2023: Added a known issues (applies to servers that have or had January SU installed) - where uninstallation of the server might fail.
3/3/2023: Added the resolved issue for customers who were blocked from enabling Extended Protection and using archiving
1/25/2023: Added a link to a KB article on services not starting automatically if Exchange 2016 is installed on Windows Server 2012 R2.
1/23/2023: Added a link to a KB article for one of known issues.
1/12/2023: Added a note that signing of serialization payload feature is not recommended at this time if Exchange Server 2013 is present in the organization. If you have Exchange Server 2013 and already enabled this feature, you can simply disable it.
1/11/2023: Added an issue (still being investigated) where Exchange services might not start automatically if update is installed on an Exchange Server 2016 running on Windows Server 2012 R2.